Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/mbadanoiu/cve-2024-34693

CVE-2024-34693: Server Arbitrary File Read in Apache Superset
https://github.com/mbadanoiu/cve-2024-34693

0-day arbitrary-file-read cve cve-2024-34693 cves

Last synced: 2 days ago
JSON representation

CVE-2024-34693: Server Arbitrary File Read in Apache Superset

Host: GitHub
URL: https://github.com/mbadanoiu/cve-2024-34693
Owner: mbadanoiu
Created: 2024-07-27T21:28:11.000Z (4 months ago)
Default Branch: main
Last Pushed: 2024-07-27T21:58:04.000Z (4 months ago)
Last Synced: 2024-07-28T00:19:30.869Z (4 months ago)
Topics: 0-day, arbitrary-file-read, cve, cve-2024-34693, cves
Homepage:
Size: 1.73 MB
Stars: 0
Watchers: 1
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

# CVE-2024-34693: Server Arbitrary File Read in Apache Superset

Improper Input Validation vulnerability in Apache Superset, allows for an authenticated attacker to create a MariaDB connection with local_infile enabled. By enabling local_infile in the Superset MySQL/MariaDB client and pointing the client to a malicious MySQL server, an attacker may launch “LOAD DATA LOCAL INFILE” (Rogue MySQL Server) attacks resulting in reading files from the server and inserting their content in a MariaDB database table.

### Vendor Disclosure:

The vendor's disclosure for this vulnerability can be found [here](https://lists.apache.org/thread/1803x1s34m7r71h1k0q1njol8k6fmyon).

### Requirements:

This vulnerability requires:

- Valid credentials for a user which can create database connections

OR
- Bypassing authentication via known Flask secret

### Proof Of Concept:

More details and the exploitation process can be found in this [PDF](https://github.com/mbadanoiu/CVE-2024-34693/blob/main/Apache%20Superset%20-%20CVE-2024-34693.pdf).

### Additional Resources:

[Bettercap's mysql.server (rogue)](https://www.bettercap.org/modules/ethernet/servers/mysql.server/)

Blogposts from horizon3.ai regarding the exploitation of multiple Superset CVEs from 2023 [Part 1](https://www.horizon3.ai/attack-research/disclosures/cve-2023-27524-insecure-default-configuration-in-apache-superset-leads-to-remote-code-execution/) and [Part 2](https://www.horizon3.ai/attack-research/disclosures/apache-superset-part-ii-rce-credential-harvesting-and-more/)